CVE-2024-56026

High

Published: 02 January 2025

Published

02 January 2025

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0011 28.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Greg – SiteOrigin Simple Proxy simple-proxy allows Reflected XSS.This issue affects Simple Proxy: from n/a through <= 1.0.

Security Summary

CVE-2024-56026 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Greg – SiteOrigin Simple Proxy plugin (simple-proxy) for WordPress. This issue affects all versions of the plugin from n/a through 1.0 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.

Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it necessitates user interaction such as clicking a malicious link. By crafting inputs that are improperly neutralized and reflected in generated web pages, an attacker can execute arbitrary scripts in the victim's browser context, achieving low impacts on confidentiality, integrity, and availability while changing the scope to affect the site's security context.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/simple-proxy/vulnerability/wordpress-simple-proxy-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/simple-proxy/vulnerability/wordpress-simple-proxy-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com